fmgr_waf_profile – Web application firewall configuration.¶
New in version 2.10.
Synopsis¶
- This module is able to configure a FortiManager device.
- Examples include all parameters and values need to be adjusted to data sources before usage.
Requirements¶
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
FortiManager Version Compatibility¶
6.0.0 |
6.2.1 |
6.2.3 |
6.2.5 |
6.4.0 |
6.4.2 |
6.4.5 |
7.0.0 |
7.2.0 |
|
| waf_profile | yes | yes | yes | yes | yes | yes | yes | yes | yes |
Parameters¶
- enable_log - Enable/Disable logging for task type: bool required: false default: False
- forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0 type: str required: false
- proposed_method - The overridden method for the underlying Json RPC request type: str required: false choices: set, update, add
- bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters type: bool required: false default: False
- workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode type: str required: false choices: global, custom adom including root
- workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock type: integer required: false default: 300
- rc_succeeded - The rc codes list with which the conditions to succeed will be overriden type: list required: false
- rc_failed - The rc codes list with which the conditions to fail will be overriden type: list required: false
- state - The directive to create, update or delete an object type: str required: true choices: present, absent
- adom - The parameter in requested url type: str required: true
- waf_profile - no description type: dict
- comment - Comment. type: str more...
- extended-log - Enable/disable extended logging. type: str choices: [disable, enable] more...
- external - Disable/Enable external HTTP Inspection. type: str choices: [disable, enable] more...
- name - WAF Profile name. type: str more...
- url-access - Url-Access. type: array
more...
- access-pattern - Access-Pattern. type: array
more...
- id - URL access pattern ID. type: int more...
- negate - Enable/disable match negation. type: str choices: [disable, enable] more...
- pattern - URL pattern. type: str more...
- regex - Enable/disable regular expression based pattern match. type: str choices: [disable, enable] more...
- srcaddr - Source address. type: str more...
- action - Action. type: str choices: [bypass, permit, block] more...
- address - Host address. type: str more...
- id - URL access ID. type: int more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- severity - Severity. type: str choices: [low, medium, high] more...
- access-pattern - Access-Pattern. type: array
more...
- address-list type: dict
- blocked-address - Blocked address. type: str more...
- blocked-log - Enable/disable logging on blocked addresses. type: str choices: [disable, enable] more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Status. type: str choices: [disable, enable] more...
- trusted-address - Trusted address. type: str more...
- constraint type: dict
- content-length type: dict
- action - Action. type: str choices: [allow, block] more...
- length - Length of HTTP content in bytes (0 to 2147483647). type: int more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Enable/disable the constraint. type: str choices: [disable, enable] more...
- exception - Exception. type: array
more...
- address - Host address. type: str more...
- content-length - HTTP content length in request. type: str choices: [disable, enable] more...
- header-length - HTTP header length in request. type: str choices: [disable, enable] more...
- hostname - Enable/disable hostname check. type: str choices: [disable, enable] more...
- id - Exception ID. type: int more...
- line-length - HTTP line length in request. type: str choices: [disable, enable] more...
- malformed - Enable/disable malformed HTTP request check. type: str choices: [disable, enable] more...
- max-cookie - Maximum number of cookies in HTTP request. type: str choices: [disable, enable] more...
- max-header-line - Maximum number of HTTP header line. type: str choices: [disable, enable] more...
- max-range-segment - Maximum number of range segments in HTTP range line. type: str choices: [disable, enable] more...
- max-url-param - Maximum number of parameters in URL. type: str choices: [disable, enable] more...
- method - Enable/disable HTTP method check. type: str choices: [disable, enable] more...
- param-length - Maximum length of parameter in URL, HTTP POST request or HTTP body. type: str choices: [disable, enable] more...
- pattern - URL pattern. type: str more...
- regex - Enable/disable regular expression based pattern match. type: str choices: [disable, enable] more...
- url-param-length - Maximum length of parameter in URL. type: str choices: [disable, enable] more...
- version - Enable/disable HTTP version check. type: str choices: [disable, enable] more...
- header-length type: dict
- action - Action. type: str choices: [allow, block] more...
- length - Length of HTTP header in bytes (0 to 2147483647). type: int more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Enable/disable the constraint. type: str choices: [disable, enable] more...
- hostname type: dict
- action - Action. type: str choices: [allow, block] more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Enable/disable the constraint. type: str choices: [disable, enable] more...
- line-length type: dict
- action - Action. type: str choices: [allow, block] more...
- length - Length of HTTP line in bytes (0 to 2147483647). type: int more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Enable/disable the constraint. type: str choices: [disable, enable] more...
- malformed type: dict
- action - Action. type: str choices: [allow, block] more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Enable/disable the constraint. type: str choices: [disable, enable] more...
- max-cookie type: dict
- action - Action. type: str choices: [allow, block] more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- max-cookie - Maximum number of cookies in HTTP request (0 to 2147483647). type: int more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Enable/disable the constraint. type: str choices: [disable, enable] more...
- max-header-line type: dict
- action - Action. type: str choices: [allow, block] more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- max-header-line - Maximum number HTTP header lines (0 to 2147483647). type: int more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Enable/disable the constraint. type: str choices: [disable, enable] more...
- max-range-segment type: dict
- action - Action. type: str choices: [allow, block] more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- max-range-segment - Maximum number of range segments in HTTP range line (0 to 2147483647). type: int more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Enable/disable the constraint. type: str choices: [disable, enable] more...
- max-url-param type: dict
- action - Action. type: str choices: [allow, block] more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- max-url-param - Maximum number of parameters in URL (0 to 2147483647). type: int more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Enable/disable the constraint. type: str choices: [disable, enable] more...
- method type: dict
- action - Action. type: str choices: [allow, block] more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Enable/disable the constraint. type: str choices: [disable, enable] more...
- param-length type: dict
- action - Action. type: str choices: [allow, block] more...
- length - Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647). type: int more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Enable/disable the constraint. type: str choices: [disable, enable] more...
- url-param-length type: dict
- action - Action. type: str choices: [allow, block] more...
- length - Maximum length of URL parameter in bytes (0 to 2147483647). type: int more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Enable/disable the constraint. type: str choices: [disable, enable] more...
- version type: dict
- method type: dict
- default-allowed-methods - Methods. type: array choices: [delete, get, head, options, post, put, trace, others, connect] more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- method-policy - Method-Policy. type: array
more...
- address - Host address. type: str more...
- allowed-methods - Allowed Methods. type: array choices: [delete, get, head, options, post, put, trace, others, connect] more...
- id - HTTP method policy ID. type: int more...
- pattern - URL pattern. type: str more...
- regex - Enable/disable regular expression based pattern match. type: str choices: [disable, enable] more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Status. type: str choices: [disable, enable] more...
- signature type: dict
- credit-card-detection-threshold - The minimum number of Credit cards to detect violation. type: int more...
- custom-signature - Custom-Signature. type: array
more...
- action - Action. type: str choices: [allow, block, erase] more...
- case-sensitivity - Case sensitivity in pattern. type: str choices: [disable, enable] more...
- direction - Traffic direction. type: str choices: [request, response] more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- name - Signature name. type: str more...
- pattern - Match pattern. type: str more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Status. type: str choices: [disable, enable] more...
- target - Match HTTP target. type: array choices: [arg, arg-name, req-body, req-cookie, req-cookie-name, req-filename, req-header, req-header-name, req-raw-uri, req-uri, resp-body, resp-hdr, resp-status] more...
- disabled-signature - Disabled signatures type: str more...
- disabled-sub-class - Disabled signature subclasses. type: str more...
- main-class type: dict
- action - Action. type: str choices: [allow, block, erase] more...
- id - Main signature class ID. type: int more...
- log - Enable/disable logging. type: str choices: [disable, enable] more...
- severity - Severity. type: str choices: [low, medium, high] more...
- status - Status. type: str choices: [disable, enable] more...
Notes¶
Note
- Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
- To create or update an object, use state: present directive.
- To delete an object, use state: absent directive
- Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded
Examples¶
- hosts: fortimanager-inventory
collections:
- fortinet.fortimanager
connection: httpapi
vars:
ansible_httpapi_use_ssl: True
ansible_httpapi_validate_certs: False
ansible_httpapi_port: 443
tasks:
- name: no description
fmgr_waf_profile:
bypass_validation: False
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
rc_succeeded: [0, -2, -3, ...]
rc_failed: [-2, -3, ...]
adom: <your own value>
state: <value in [present, absent]>
waf_profile:
comment: <value of string>
extended-log: <value in [disable, enable]>
external: <value in [disable, enable]>
name: <value of string>
url-access:
-
access-pattern:
-
id: <value of integer>
negate: <value in [disable, enable]>
pattern: <value of string>
regex: <value in [disable, enable]>
srcaddr: <value of string>
action: <value in [bypass, permit, block]>
address: <value of string>
id: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
address-list:
blocked-address: <value of string>
blocked-log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
trusted-address: <value of string>
constraint:
content-length:
action: <value in [allow, block]>
length: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
exception:
-
address: <value of string>
content-length: <value in [disable, enable]>
header-length: <value in [disable, enable]>
hostname: <value in [disable, enable]>
id: <value of integer>
line-length: <value in [disable, enable]>
malformed: <value in [disable, enable]>
max-cookie: <value in [disable, enable]>
max-header-line: <value in [disable, enable]>
max-range-segment: <value in [disable, enable]>
max-url-param: <value in [disable, enable]>
method: <value in [disable, enable]>
param-length: <value in [disable, enable]>
pattern: <value of string>
regex: <value in [disable, enable]>
url-param-length: <value in [disable, enable]>
version: <value in [disable, enable]>
header-length:
action: <value in [allow, block]>
length: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
hostname:
action: <value in [allow, block]>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
line-length:
action: <value in [allow, block]>
length: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
malformed:
action: <value in [allow, block]>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
max-cookie:
action: <value in [allow, block]>
log: <value in [disable, enable]>
max-cookie: <value of integer>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
max-header-line:
action: <value in [allow, block]>
log: <value in [disable, enable]>
max-header-line: <value of integer>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
max-range-segment:
action: <value in [allow, block]>
log: <value in [disable, enable]>
max-range-segment: <value of integer>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
max-url-param:
action: <value in [allow, block]>
log: <value in [disable, enable]>
max-url-param: <value of integer>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
method:
action: <value in [allow, block]>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
param-length:
action: <value in [allow, block]>
length: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
url-param-length:
action: <value in [allow, block]>
length: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
version:
action: <value in [allow, block]>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
method:
default-allowed-methods:
- delete
- get
- head
- options
- post
- put
- trace
- others
- connect
log: <value in [disable, enable]>
method-policy:
-
address: <value of string>
allowed-methods:
- delete
- get
- head
- options
- post
- put
- trace
- others
- connect
id: <value of integer>
pattern: <value of string>
regex: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
signature:
credit-card-detection-threshold: <value of integer>
custom-signature:
-
action: <value in [allow, block, erase]>
case-sensitivity: <value in [disable, enable]>
direction: <value in [request, response]>
log: <value in [disable, enable]>
name: <value of string>
pattern: <value of string>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
target:
- arg
- arg-name
- req-body
- req-cookie
- req-cookie-name
- req-filename
- req-header
- req-header-name
- req-raw-uri
- req-uri
- resp-body
- resp-hdr
- resp-status
disabled-signature: <value of string>
disabled-sub-class: <value of string>
main-class:
action: <value in [allow, block, erase]>
id: <value of integer>
log: <value in [disable, enable]>
severity: <value in [low, medium, high]>
status: <value in [disable, enable]>
Return Values¶
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- request_url - The full url requested returned: always type: str sample: /sys/login/user
- response_code - The status of api request returned: always type: int sample: 0
- response_message - The descriptive message of the api response returned: always type: str sample: OK
- response_data - The data body of the api response returned: optional type: list or dict